Description:

TACACS+ (Terminal Access Controller Access-Control System) is a protocol for the authentication, authorization, and accounting (AAA) of users. It provides access to the network only for certain users (authentication), it regulates the permissions of those users (authorization), and it logs user interactions (accounting). TACACS+ is an alternative to other AAA protocols such as RADIUS.

This article describes how to set up TACACS+ on an XS-51xx / XS-61xx and GS-45xx series switch, along with any special characteristics that have to be observed when logging on. 

Requirements:

Procedure:

1) Configuration steps on the switch:

1.1) Connect to the web interface of the switch and navigate to the menu Security → TACACS+ → Server Summary.

Invoke the menu TACACS Server Summary

1.2) Click Add to create an entry for a server.

Add an entry for a TACACS server

1.3) Modify the following parameters and then click Submit:

  • Server: Enter the IP address or DNS address of the TACAS+ server (in this example 192.168.1.100).
  • Port: Change the Port if necessary. For this example we are using the standard port 49.
  • Key String: Enter the Secret Key. The secret key is used to authenticate the device on the TACACS+ server.

An option is to store additional entries for TACACS+ servers. These act as a backup in case the first server is not accessible. Up to five TACACS+ servers can be entered.

Enter the IP address and Secret Key for the TACACS server

1.4) Navigate to the menu System → AAA → Authentication List.

Open the menu Authentication List

1.5) Select the required protocol (in this example HTTPS with the httpslist) and click Edit to make further settings.

The protocols HTTP (httplist) and Telnet and SSH (networklist) are selected in a similar way.

Edit the httpsList

1.6) Under Selected Methods, choose the option Local and click the arrow icon pointing left to remove it.

Remove the method Local

1.7) Under Available Methods, hold down the <CTRL> button and select the options TACACS and Local and add them by clicking the arrow icon pointing to the right.

The methods under Selected Methods are run through in sequence. Therefore the first must be set as TACACS and then Local. If the TACACS+ server cannot be reached, authentication falls back on the local user table.

Select the methods TACACS and Local one after the other and add these to the Selected Methods

1.8) Click Submit to accept the changes.

Accept the changes

1.9) Go to the Authorization List tab and select the list dfltCmdAuthList. Then click Edit to make further settings.

Authorization can only be enabled for configuration via command line, Telnet, and SSH, but not for the web interface.

If you execute steps 1.10 to 1.12 for the dfltExecAuthList as well, the login will be performed with extended rights. The extended rights therefore do not have to be requested separately using the Enable command.

Edit the dfltCmdAuthList in the tab Authorization List

1.10) Under Selected Methods, choose the option None and click the arrow icon pointing left to remove it.

Remove the method None from the Selected Methods

1.11) Under Available Methods, choose the option TACAS and click the arrow icon pointing right to add it.

Add the method TACACS to the Selected Methods

1.12) Click Submit to accept the changes.

Accept the changes

1.13) Change to the tab Accounting List and make sure that the dfltCmdList and dfltExecList are set as shown in the screenshot.

If the settings differ, you can reset the lists to the default values by clicking the “power-on” symbol.

Make sure, that the dfltCmdList and the dfltExecList in the tab Accounting List have default settings

1.14) Change to the tab Accounting Selection and, for each entry, make sure that Exec is set to dfltExecList and that Commands is set to dfltCmdList.

Make sure, that the default lists from the tab Accounting List are assigned to entries here

1.15) Click Save Configuration in the top right-hand corner to save the configuration as the start configuration.

The start configuration is retained even if the device is restarted or there is a power failure.

As an alternative, the current configuration can be saved as the Start Configuration from the command line with the command write memory.

Save the configuration as the start configuration

1.16) Confirm the message by clicking OK.

Acknowledge the save process

1.17) This concludes the configuration steps on the switch.



2) Accessing and editing the device configuration:

A user can have either privilege level 1 or 15:

  • Privilege-Level 1: The user has read-only permissions.
  • Privilege-Level 15: The user has read and write permissions. The device configuration can therefore only be modified by a user with privilege level 15.


2.1) Accessing and editing the device configuration from the web interface:

Enter your login details in the web-interface login screen and click Login:

  • Username: Enter the TACACS user (in this example TACACS-User).
  • Password: Enter the password for the TACACS user.

Login mask of the webinterface


2.2) Accessing and editing the device configuration from the command line:

2.2.1) On the command line, enter the TACACS user followed by the corresponding password

Login via the CLI with the TACACS user

2.2.2) If an unauthorized command is executed on the device, it displays the message Command is not authorized.

Error message on the CLI with insufficient user rights

More articles on this topic:

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH